UnityAccessDecorator¶
UnityAccessDecorator is used by UnityCatalogServer to enforce access control rules on the following API services endpoints:
/api/2.1/unity-catalog//api/1.0/unity-control/(except/api/1.0/unity-control/auth/tokens)
UnityAccessDecorator is used only when UnityCatalogServer runs with Server Authorization enabled.
UnityAccessDecorator uses AuthorizeExpression.
UnityAccessDecorator is a DecoratingHttpServiceFunction (Armeria).
Creating Instance¶
UnityAccessDecorator takes the following to be created:
While being created, UnityAccessDecorator creates the UnityAccessEvaluator (with the UnityCatalogAuthorizer).
UnityAccessDecorator is created when:
UnityCatalogServeris requested to add the API services (with Server Authorization enabled)
UnityAccessEvaluator¶
UnityAccessDecorator creates an UnityAccessEvaluator (with the UnityCatalogAuthorizer) when created.
This UnityAccessEvaluator is used to evaluate a principal to access securables while checking authorization.
Serve Incoming HTTP Request¶
DecoratingHttpServiceFunction
serve is part of the DecoratingHttpServiceFunction (Armeria) abstraction.
serve prints out the following DEBUG message to the logs:
serve finds the service method.
When found, serve finds the AuthorizeExpression and the AuthorizeKey annotations (if defined on the method).
For the authorization expression and the authorization resource(s) found, serve finds the principal and authorizeByRequest.
Otherwise, serve prints out the following WARN message to the logs:
Find Service Method¶
Static Method
findServiceMethod is a Java class method to be invoked without a reference to a particular object.
Learn more in the Java Language Specification.
findServiceMethod tries to unwrap the given HttpService to be a SimpleDecoratingHttpService that is in turn tried to be unwrapped to an AnnotatedService.
If the given HttpService is unwrapped to an AnnotatedService successfully, findServiceMethod prints out the following DEBUG message to the logs:
findServiceMethod gives the Class by the serviceName and then finds the methods in the Class matching the methodName.
findServiceMethod returns the one and only methodName method of the Class, if found. Otherwise, it's undefined (null).
Find Authorize Expression¶
Static Method
findAuthorizeExpression is a Java class method to be invoked without a reference to a particular object.
Learn more in the Java Language Specification.
findAuthorizeExpression takes the AuthorizeExpression of the given method.
When found, findAuthorizeExpression prints out the following DEBUG message to the logs and returns the authorize expression value:
Otherwise, findAuthorizeExpression prints out the following DEBUG message to the logs and returns no authorize expression value (null):
Authorize By Request¶
HttpResponse authorizeByRequest(
HttpService delegate,
ServiceRequestContext ctx,
HttpRequest req,
UUID principal,
List<KeyLocator> locators,
String expression)
authorizeByRequest...FIXME
Check Authorization¶
void checkAuthorization(
UUID principal,
String expression,
Map<SecurableType, Object> resourceKeys)
In essence, checkAuthorization reports a BaseException to indicate "Access denied". Otherwise, authorization is granted.
checkAuthorization prints out the following DEBUG message to the logs:
checkAuthorization resolves resource names into IDs.
checkAuthorization prints out the following DEBUG message to the logs:
checkAuthorization requests the UnityAccessEvaluator to evaluate with the given principal, expression and the resolved resource IDs.
In case when the UnityAccessEvaluator does not evaluate the expression for the principal and the resource IDs successfully, checkAuthorization reports a BaseException with the following message:
Logging¶
Enable ALL logging level for io.unitycatalog.server.auth.decorator.UnityAccessDecorator logger to see what happens inside.
Add the following line to etc/conf/server.log4j2.properties:
logger.UnityAccessDecorator.name = io.unitycatalog.server.auth.decorator.UnityAccessDecorator
logger.UnityAccessDecorator.level = all
Refer to Logging.